Hackers crack Mitsubishi’s high-tech SUV

MITSUBISHI Australia has recommended owners of its Outlander PHEV plug-in petrol-electric SUV turn off the vehicle's wireless internet hub after hackers broke into one using nothing but a laptop computer.

The hack, revealed overnight, has found security breaches in the software used to allow owners to remotely control functions of the Outlander PHEV, British software security group Pen Test Partners said.

“Some of them [the hacks] are just funny, but some of them actually really are quite nasty,” online security researcher Ken Munro said in a video posted on the company’s website showing how the hacks worked.

What concerned the hackers was that unlike other remote access applications, which used the relatively secure mobile phone network to link an owner’s smartphone to the car, the Mitsubishi Outlander PHEV used an on-board wireless network that the researchers could easily access.

This, combined with a relatively insecure electronic key linking the owner’s software with the car, “just isn’t enough”, Munro said – even though he admitted that with basic key-cracking software it would take at least four days to work out what it was.

However, for about £1000, or the equivalent of $2000, hackers could have the key “almost instantaneously”, he said.

Once in control, hackers can turn on the car’s lights, play with the heating and cooling, turn off the alarm and open the doors, and even search for a victim using wireless network sniffing tools. At worst, though, hackers can only flatten the car's batteries, although the ability to disable the alarm means breaking into or stealing the $47,490 plug-in hybrid is easier.

Since the hackers revealed their findings, Mitsubishi said it was working on a solution to the problem.

Mitsubishi Australia said Outlander PHEVs sold here did have the same app-based system as the one that was hacked.

"Our counterparts in Europe have recommended that, at this early stage and until further technical investigation, customers who are concerned about their vehicle should deactivate the WiFi using the ‘Cancel VIN Registration’ option on the app, or by using the remote app cancellation procedure," Mitsubishi Australia spokesman Shayna Welsh told Wheels.

"In the meantime, the hacking is a first for Mitsubishi Motors as none other has been reported anywhere else in the world."

Mitsubishi’s connected car woes follow on from an Australian hacker who in February revealed he was able to take control of any Nissan Leaf in the world – from a deckchair beside his pool – using a smartphone app that was meant to remotely link owners with the world’s best-selling electric car.

The security breach forced Nissan to take the Leaf’s internet-based owner’s access offline while it plugged the security gap.

Similarly, a group of US hackers was able to remotely break into a Jeep Cherokee and wrestle control away from the driver, playing with the brakes and accelerator while it was moving.